# ding ding pronounced `[diŋ]`, in the French language is an onomatopoeia evoking the sound produced by the bells of a steeple or the bell of a front door. ding is a tool for port knocking, hence the name. It took me 10 seconds to find it, be nice. For those who haven't heard, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). ding, your brand-new secure* port knocking client in less than 400 lines of code. *In its default configuration, ding protects the configuration file by ciphering it via XChaCha20-Poly1305, an authenticated encryption with additional data (AEAD) algorithm, that combines the XChaCha20 stream cipher with the Poly1305 message authentication code. ## How to use it ### Setup The values of the `-t`, `--timeout` or `timeout` and `-d` `--delay` or `delay` flags are of type [time.Duration](https://pkg.go.dev/time#Duration), which means that the time unit can take on the following values: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. Respectively: nanosecond, microsecond, millisecond, second, minute and hour. By default, and for obvious reasons, the configuration file is ciphered (via XChaCha20-Poly1305). You can disable this behavior with the `-i` or `--insecure` flag. Also, the minimum entropy of the password must be 65, you can (at your own risk) easily get around this by using the `-b` or `--bypass-password-entropy` flag. Note that entropy is only checked during the setup phase. ```shell $ ding setup --help ``` ``` NAME: ding setup - Launches ding setup USAGE: ding setup [command options] [arguments...] OPTIONS: --address value, -a value address to knock --port value, -p value [ --port value, -p value ] ports to knock --timeout value, -t value timeout in milliseconds (default: 1500ms) --delay value, -d value delay in milliseconds between knocks (default: 100ms) --insecure, -i don't de/cipher configuration file (default: false) --bypass-password-entropy, -b insecurely bypass password entropy (default: false) --help, -h show help ``` #### Interactive mode ```shell $ ding setup ? address to knock: 192.168.10.6 ? port to knock (separated by commas if several): 38457,22949,9686 ? timeout in milliseconds: 1.5s ? delay in milliseconds between knocks: 100ms ? password: ***************** ``` #### Non-interactive mode ```shell $ ding setup -a 192.168.10.6 -p 38457 -p 22949 -p 9686 -t 1500ms -d 100ms ? password: ***************** ``` These two approaches boil down to exactly the same thing. If you go to `$XDG_CONFIG_HOME/ding/` or `$HOME/.config/ding/`, you'll find a file named `.salt` containing the salt used to derive the 32-byte key used to cipher the configuration file (if you haven't used the `-i` or `--insecure` flag), as well as the configuration file itself, ciphered or not. ```shell $ ls -lah ~/.config/ding/ total 16K drwxr-xr-x 2 adrien users 4.0K Jun 30 17:01 ./ drwxr-xr-x 30 adrien users 4.0K Jun 30 17:01 ../ -rw-r--r-- 1 adrien users 132 Jun 30 17:11 config.toml -rw-r--r-- 1 adrien users 32 Jun 30 17:11 .salt ``` ### Use ```shell $ ding help ``` ``` NAME: ding - Command line interface tool to knock ports USAGE: ding [global options] command [command options] [arguments...] VERSION: untagged-0000000000 AUTHOR: Adrien COMMANDS: setup, s Launches ding setup help, h Shows a list of commands or help for one command GLOBAL OPTIONS: --insecure, -i don't de/cipher configuration file (default: false) --help, -h show help --version, -v print the version ``` It couldn't be simpler. The password is the same as the one entered during the setup phase. ```shell $ ding ? password: ***************** ``` If you add the `-i` or `--insecure` flag when you haven't specified it during the setup step, you'll get an error like this. ``` 2023-07-01T11:09:51+02:00 FTL toml: line 1: invalid UTF-8 byte: 0xc4 ``` However, if you've set up ding correctly, you should be able to access your server via SSH.